Console
    Start free

    MCP Tools Reference: chronicle.googleapis.com

    Tool: evaluate_rule_coverage

    Evaluates rule coverage for a given set of synthetic UDM events by checking if any existing managed rules match them.

    This tool is essential for determining if a threat scenario, represented by synthetic UDM events, is already covered by existing detection content. It runs the provided UDM events against the active rule set and returns any matches, helping analysts identify coverage gaps or confirm protection.

    Workflow Integration:

    • This tool is typically called AFTER generating synthetic logs for a given Threat Detection Opportunity (TDO).
    • The results of this tool inform the decision to create a new YARA-L rule. If coverage is sufficient, no further action may be needed; if coverage is absent or weak, rule generation tools should be used next.
    • Provides the necessary validation for automated detection engineering pipelines to prove coverage before and after rule deployment.

    Use Cases:

    • Verify if an existing rule set detects a newly described threat or TTP.
    • Identify which specific rules are triggered by a set of synthetic attack events.
    • Validate the efficacy of a new rule draft by comparing its coverage against synthetic data.
    • Generate a coverage report that maps threat scenarios to existing detections.

    Example Usage:

    • evaluate_rule_coverage(projectId='my-project', region='us', customerId='my-instance', udmsJson=[ '{"metadata": {"event_timestamp": "2023-10-27T10:00:00Z"}, "principal": {"user": {"userid": "bob"}}}' ])

    The following sample demonstrate how to use curl to invoke the evaluate_rule_coverage MCP tool.

    Curl Request 
      
curl  
--location  
 'https://chronicle.googleapis.com/mcp' 
  
 \ 
--header  
 'content-type: application/json' 
  
 \ 
--header  
 'accept: application/json, text/event-stream' 
  
 \ 
--data  
 '{ 
 "method": "tools/call", 
 "params": { 
 "name": "evaluate_rule_coverage", 
 "arguments": { 
 // provide these details according to the tool' 
s  
MCP  
specification  
 } 
  
 } 
,  
 "jsonrpc" 
:  
 "2.0" 
,  
 "id" 
:  
 1 
 } 
 '

    Input Schema

    Request message for EvaluateRuleCoverage.

    EvaluateRuleCoverageRequest

    JSON representation 
     { 
 "projectId" 
 : 
 string 
 , 
 "customerId" 
 : 
 string 
 , 
 "region" 
 : 
 string 
 , 
 "udmsJson" 
 : 
 [ 
 string 
 ] 
 }
    Fields
    projectId

    string

    Required. Google Cloud project ID.
    customerId

    string

    Required. Chronicle customer ID.
    region

    string

    Required. Chronicle region (e.g., "us", "europe").
    udmsJson[]

    string

    Required. A list of synthetic json strings representing UDM events to check for coverage.

    Output Schema

    Response message for EvaluateRuleCoverage.

    EvaluateRuleCoverageResponse

    JSON representation 
     { 
 "coverageResults" 
 : 
 [ 
 { 
 object (  EvaluatedRuleCoverageResult 
 
) 
 } 
 ] 
 }
    Fields
    coverageResults[]

    object ( EvaluatedRuleCoverageResult )

    In the case that there is coverage, return the rule information for the rules found. If there is no known coverage, this list will be empty.

    EvaluatedRuleCoverageResult

    JSON representation 
     { 
 "matchedRule" 
 : 
 string 
 , 
 "feedbackId" 
 : 
 string 
 }
    Fields
    matchedRule

    string

    A rule that matched against the input UDM.
    feedbackId

    string

    The ID of the feedback report.

    Tool Annotations

    Destructive Hint: ❌ | Idempotent Hint: ❌ | Read Only Hint: ✅ | Open World Hint: ❌
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: